On Wed, 2025-11-12 at 14:51 +0100, Petr Pavlu wrote: > On 11/11/25 5:53 PM, James Bottomley wrote: > > On Tue, 2025-11-11 at 16:48 +0100, Petr Pavlu wrote: > > > The PKCS#7 code in sign-file allows for signing only with SHA-1. > > > Since SHA-1 support for module signing has been removed, drop > > > PKCS#7 support in favor of using only CMS. > > > > The change log is a bit alarmist. CMS really *is* PKCS7 and most > > literature will refer to CMS as PKCS7. What you're really > > deprecating is the use of the PKCS7_sign() API which can only > > produce SHA-1 Signatures ... openssl is fully capable of producing > > any hash PKCS7 signatures using a different PKCS7_... API set but > > the CMS_... API is newer. > > > > The point being the module signature type is still set to > > PKEY_ID_PKCS7 so it doesn't square with the commit log saying "drop > > PKCS#7 support". What you really mean is only use the openssl > > CMS_... API for producing PKCS7 signatures. > > Ok, I plan to update the description to the following in v2: > > sign-file: Use only the OpenSSL CMS API for signing > > The USE_PKCS7 code in sign-file utilizes PKCS7_sign(), which allows > signing only with SHA-1. Since SHA-1 support for module signing has > been removed, drop the use of the OpenSSL PKCS7 API by the tool in > favor of using only the newer CMS API.
Much better, thanks! Regards, James
